This chapter is from the book

This chapter is from the book

The security of your network is evaluated daily. A rich question to ask is, "Are
you the one doing it?" The answer, hopefully, is that someone on your
side is involved in assessing the effectiveness of your defenses; however,
overwhelming evidence reports that you are not the only party probing your
network's perimeter. Internet-facing systemscomputers with IP addresses
that can be reached from the Internetreceive between several and hundreds
or even thousands of attack attempts every day. Many of these are simple scans
that we know how to defend against, but others catch us by surprise, unexpectedly
shifting us into incident investigation and cleanup mode.

Does your organization have access to expertise in all aspects of perimeter
security, including networking, firewalls, intrusion detection systems (IDSs),
intrusion prevention systems (IPSs), Virtual Private Networks (VPNs), UNIX
security, and Windows security? In the pages ahead, we will show you how all
these protective measures work together. Can you definitively say how secure
or insecure your network is? Does everyone in your organization understand
the policies related to information security and their implications? One hint
that they do not is the famous expression, "But we have a firewall!" If
you work in information security, you probably hear this phrase more often
than you would like to, because it seems to express the opinion of many people,
both technical and nontechnical.

One of the most challenging aspects of securing modern networks, even those
that already have firewalls, is that they exhibit porous properties. Wireless
connections, portable storage devices, mobile systems, and links to partner
sites offer a multitude of ways in which data can get in and out of our networks,
bypassing our border defenses. This is one of the reasons why a single security
component cannot properly defend a network. However, many components working
together can. Defense in depth, a major theme of this chapter and this
book, is the process of layering these components to capitalize on their respective
strengths. It is flexible, in that it allows us to select components based
on technical, budgetary, and organizational constraints and combine them in
a way that doesn't compromise the overall security or usability of the
network.

We will begin this chapter by defining some common terms of the trade to ensure
that we're all on the same page. Then we'll discuss core components
of defense in depth, to illustrate how various aspects of the security perimeter
can complement each other to form a balanced whole. We will close with a discussion
of the Nimda worm and show how defense in depth can help protect your network
against such an attack.

Terms of the Trade

We need a common frame of reference when it comes to terms used throughout
the book, because one person's definitions might not be the same as someone
else's. To that end, we'll define the perimeter, the border router, a
firewall, an IDS, an IPS, a VPN, software architecture, as well as
De-Militarized Zones (DMZs) and screened subnets.

The Perimeter

What exactly is the perimeter? Some people, when they hear the term
perimeter, may conjure up an image of a small squad of soldiers spread
out on the ground in a circular formation. Others may come up with the
circling-the-wagons image. Before we move on, ask yourself, "What is a
perimeter?"

In the context of this book, a perimeter is the fortified boundary of the
network that might include the following aspects:

Border routers

Firewalls

IDSs

IPSs

VPN devices

Software architecture

DMZs and screened subnets

Let's take a look at these perimeter components in closer detail.

Border Routers

Routers are the traffic cops of networks. They direct traffic into, out of,
and within our networks. The border router is the last router you
control before an untrusted network such as the Internet. Because all of an
organization's Internet traffic goes through this router, it often
functions as a network's first and last line of defense through initial and
final filtering.

Firewalls

A firewall is a chokepoint device that has a set of rules specifying
what traffic it will allow or deny to pass through it. A firewall typically
picks up where the border router leaves off and makes a much more thorough pass
at filtering traffic. Firewalls come in several different types, including
static packet filters, stateful firewalls, and proxies. You might use a static
packet filter such as a Cisco router to block easily identifiable
"noise" on the Internet, a stateful firewall such as a Check Point
FireWall-1 to control allowed services, or a proxy firewall such as Secure
Computing's Sidewinder to control content. Although firewalls aren't
perfect, they do block what we tell them to block and allow what we tell them to
allow.

Intrusion Detection Systems

An IDS is like a burglar alarm system for your network that is used
to detect and alert on malicious events. The system might comprise many
different IDS sensors placed at strategic points in your network. Two basic
types of IDS exist: network-based (NIDS), such as Snort or Cisco Secure IDS, and
host-based (HIDS), such as Tripwire or ISS BlackICE. NIDS sensors monitor
network traffic for suspicious activity. NIDS sensors often reside on subnets
that are directly connected to the firewall, as well as at critical points on
the internal network. HIDS sensors reside on and monitor individual hosts.

In general, IDS sensors watch for predefined signatures of malicious events,
and they might perform statistical and anomaly analysis. When IDS sensors detect
suspicious events, they can alert in several different ways, including email,
paging, or simply logging the occurrence. IDS sensors can usually report to a
central database that correlates their information to view the network from
multiple points.

Intrusion Prevention Systems

An IPS is a system that automatically detects and thwarts computer
attacks against protected resources. In contrast to a traditional IDS, which
focuses on notifying the administrator of anomalies, an IPS strives to
automatically defend the target without the administrator's direct
involvement. Such protection may involve using signature-based or behavioral
techniques to identify an attack and then blocking the malicious traffic or
system call before it causes harm. In this respect, an IPS combines the
functionality of a firewall and IDS to offer a solution that automatically
blocks offending actions as soon as it detects an attack.

As you will learn in Chapter 11, "Intrusion Prevention Systems,"
some IPS products exist as standalone systems, such as TippingPoint's
UnityOne device. Additionally, leading firewall and IDS vendors are
incorporating IPS functionality into their existing products.

Virtual Private Networks

A VPN is a protected network session formed across an unprotected
channel such as the Internet. Frequently, we reference a VPN in terms of the
device on the perimeter that enables the encrypted session, such as Cisco VPN
Concentrator. The intended use might be for business partners, road warriors, or
telecommuters. A VPN allows an outside user to participate on the internal
network as if connected directly to it. Many organizations have a false sense of
security regarding their remote access just because they have a VPN. However, if
an attacker compromises the machine of a legitimate user, a VPN can give that
attacker an encrypted channel into your network. You might trust the security of
your perimeter, but you have little control over your telecommuters'
systems connecting from home, a hotel room, or an Internet café. Similar
issues of trust and control arise with the security of nodes connected over a
VPN from your business partner's network.

Software Architecture

Software architecture refers to applications that are hosted on the
organization's network, and it defines how they are structured. For
example, we might structure an e-commerce application by splitting it into three
distinct tiers:

The web front end that is responsible for how the application is
presented to the user

The application code that implements the business logic of the
application

The back-end databases that store underlying data for the
application

Software architecture plays a significant role in the discussion of a
security infrastructure because the primary purpose of the network's
perimeter is to protect the application's data and services. When securing
the application, you should ensure that the architecture of the software and the
network is harmonious.

De-Militarized Zones and Screened Subnets

We typically use the terms DMZ and screened subnet in
reference to a small network containing public services connected directly to
and offered protection by the firewall or other filtering device. A DMZ and a
screened subnet are slightly different, even though many people use the terms
interchangeably. The term DMZ originated during the Korean War when a strip of
land at the 38th parallel was off-limits militarily. A DMZ is an insecure area
between secure areas. Just as the DMZ in Korea was in front of any defenses, the
DMZ, when applied to networks, is located outside the firewall. A firewall or a
comparable traffic-screening device protects a screened subnet that is directly
connected to it. Remember this: A DMZ is in front of a firewall, whereas a
screened subnet is behind a firewall. In the context of this book, we will
adhere to these definitions. Note the difference in Figure
1.1.

A screened subnet is an isolated network that is connected to a dedicated
interface of a firewall or another filtering device. The screened subnet is
frequently used to segregate servers that need to be accessible from the
Internet from systems that are used solely by the organization's internal
users. The screened subnet typically hosts "public" services,
including DNS, mail, and web. We would like to think these servers are
bastion hosts. A bastion is a well-fortified position. When applied to
hosts on a network, fortifying involves hardening the operating system and
applications according to best practices. As attacks over time have shown, these
servers are not always well fortified; in fact, they are sometimes vulnerable
despite being protected by a firewall. We must take extra care fortifying these
hosts because they are the target of the majority of attacks and can bring the
attacker closer to accessing even more critical internal resources.

Figure 1.1 The DMZ is located in front of the firewall; the screened subnet
is isolated from the internal network, but it still enjoys the protections
that the firewall offers.

Now that we have defined core components of the network perimeter, let's
look at how they can be applied in an architecture according to the principle of
defense in depth.